spring-cloud / spring-cloud-dataflow

A microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes
https://dataflow.spring.io
Apache License 2.0
1.12k stars 583 forks source link

adding a custom cacert certificate #5940

Closed Setxand closed 1 month ago

Setxand commented 2 months ago

Hey guys, I don't know either it's a bug even, but I can't figure out one thing with the adding of the custom certificate to the jvm, I can't run keytool -importcert -v -noprompt -trustcacerts -file /opt/certs/certificate.cer -keystore /opt/custom-certs/cacerts -srcalias sourceAlias -destalias keycloak -storepass changeit

cause it's run from user 1001 - not from root (and there are a lot of problems if to run scdf from 0 (root) user)

so I added initContainers:

` initContainers:

also added this env var: `

and in the end I see this log at first

Defaulted container "server" out of: server, init-cert-container (init) Setting Active Processor Count to 8 Adding $JAVA_OPTS to $JAVA_TOOL_OPTIONS Calculated JVM Memory Configuration: -XX:MaxDirectMemorySize=10M -Xmx7670301K -XX:MaxMetaspaceSize=206306K -XX:ReservedCodeCacheSize=240M -Xss1M (Total Memory: 8G, Thread Count: 250, Loaded Class Count: 34010, Headroom: 0%) Enabling Java Native Memory Tracking Using readonly truststore: /tmp/truststore Adding 137 container CA certificates to JVM truststore Spring Cloud Bindings Enabled Picked up JAVA_TOOL_OPTIONS: -Djava.security.properties=/layers/paketo-buildpacks_bellsoft-liberica/java-security-properties/java-security.properties -XX:+ExitOnOutOfMemoryError -XX:ActiveProcessorCount=8 -Djavax.net.ssl.trustStore=/opt/custom-certs/cacerts -Djavax.net.ssl.trustStorePassword=changeit -XX:MaxDirectMemorySize=10M -Xmx7670301K -XX:MaxMetaspaceSize=206306K -XX:ReservedCodeCacheSize=240M -Xss1M -XX:+UnlockDiagnosticVMOptions -XX:NativeMemoryTracking=summary -XX:+PrintNMTStatistics -Djavax.net.ssl.trustStore=/tmp/truststore -Dorg.springframework.cloud.bindings.boot.enable=true

there you can see that my java_opts was added as a var to the java options, but also you can see there option later: Djavax.net.ssl.trustStore=/tmp/truststore and my certificate doesn't go there. Do you have any another solution to safely add this certificate, or the config I should change to get it to work? Or it's the issue, that can't be resolved for now?

image version: 2.11.2

corneil commented 2 months ago

If you are trying to add custom certs to spring-cloud-dataflow-server container spring-cloud-skipper-server container I suggest you look at How to build a container from the jar using paketo buildpacks https://docs.spring.io/spring-cloud-dataflow/docs/2.11.4/reference/htmlsingle/#_containers and then look at https://paketo.io/docs/howto/configuration/#ca-certificates

Setxand commented 2 months ago

Hey @corneil, i see, thanks, I'll try somehing like that, not I get that I can do something like adding the certificates on local, and when the dataflow server is up - then to copy this truststore to /tmp/truststore in scdf's container.

But can't I somehow disable Dorg.springframework.cloud.bindings.boot.enable=true to not pick up the prepared configs for trustedstore and manually set it via JAVA_OPTS? Or override somehow those cloud bindings opts?

corneil commented 1 month ago

@Setxand Another solution to look into is Vault to manage certificates and import into application.

corneil commented 1 month ago

@Setxand This is not a SCDF specific issue.